Overview

overview

10

Static

static

3

16cad33f88...9N.exe

windows7-x64

10

16cad33f88...9N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 08:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16cad33f8854ca2950a1118efd4ae701a62af2d1d2a93ac3620684136861bc19N.exe

  • Size

    46KB

  • MD5

    7d61cb72fb4c9715a6e2abb476426480

  • SHA1

    36a57a568a240f49dab57a13e9a77642cc3d02c1

  • SHA256

    16cad33f8854ca2950a1118efd4ae701a62af2d1d2a93ac3620684136861bc19

  • SHA512

    7d18c28ffc78c46b6b5939f87a221ab5cbcd74b17b865cd50f5d6d43933f8f305c85120864b777ae9bcd0ff4762d17e1f35a9a1f5077255e005739b896f13f91

  • SSDEEP

    768:zIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77NPQ1TTGfGYi6KMf1Q:zI0OGrOy6NvSpMZVQ1J4KMf1Q

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16cad33f8854ca2950a1118efd4ae701a62af2d1d2a93ac3620684136861bc19N.exe
    "C:\Users\Admin\AppData\Local\Temp\16cad33f8854ca2950a1118efd4ae701a62af2d1d2a93ac3620684136861bc19N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    46KB

    MD5

    1e6b90f2497f07e21887b17279022168

    SHA1

    273e30fb6c3ca4c29b4161efcd6d2d017b774430

    SHA256

    d5d8d097f060d7553a001e53fc69cb4ad419f6a7101551221ba8fdb65a08f7a2

    SHA512

    f63a8794e0f3c51cdb3f01f2eedd1cd05389a5f1f1205cd63881f6fffefa137c5c74e547e102fc20bca02635e7c67c891590b12115d0e2ce12d90e7991f7162c

    Download Submit

  • memory/2868-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/2868-12-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4704-13-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4704-18-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4704-19-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download